03.03.01: Event Logging

Control Familly: Audit and Accountability

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

  • SP 800-92 [35]

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.03.01

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

  • AU-02

a. Specify the following event types selected for logging within the system: [Assignment: organization-defined event types].

b. Review and update the event types selected for logging [Assignment: organization-defined frequency].

Discussion:

An event is any observable occurrence in a system, including unlawful or unauthorized system activity. Organizations identify event types for which a logging functionality is needed. This includes events that are relevant to the security of systems and the environments in which those systems operate to meet specific and ongoing auditing needs. Event types can include password changes, the execution of privileged functions, failed logons or accesses related to systems, administrative privilege usage, or third-party credential usage. In determining event types that require logging, organizations consider the system monitoring and auditing that are appropriate for each of the security requirements. When defining event types, organizations consider the logging necessary to cover related events, such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures.

Monitoring and auditing requirements can be balanced with other system needs. For example, organizations may determine that systems must have the capability to log every file access — both successful and unsuccessful — but only activate that capability under specific circumstances due to the potential burden on system performance. The event types that are logged by organizations may change over time. Reviewing and updating the set of logged event types are necessary to ensure that the current set of event types remains relevant.

Assessment Methods and Objectives

Examine [SELECT FROM: audit and accountability policy and procedures; procedures for auditable events; system design documentation; system configuration settings; system audit records; system auditable events; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with audit and accountability responsibilities; personnel with information security responsibilities; system administrators]

Test [SELECT FROM: mechanisms for implementing system auditing]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.03.01.ODP[01]: event types selected for logging within the system are defined.

A.03.03.01.ODP[02]: the frequency of event types selected for logging are reviewed and updated.

A.03.03.01.a: the following event types are specified for logging within the system: <A.03.03.01.ODP[01]: event types>.

A.03.03.01.b[01]: the event types selected for logging are reviewed <A.03.03.01.ODP[02]: frequency>.

A.03.03.01.b[02]: the event types selected for logging are updated <A.03.03.01.ODP[02]: frequency>.